undefined | Better HN

0 pointslandgenoot10mo ago0 comments

You need a domain in order to get the s in https to work

0 comments

That's not correct.

LetEncrypt are trialling ip address https/TLS certificates right now:

https://letsencrypt.org/2025/07/01/issuing-our-first-ip-addr...

They say:

"In principle, there’s no reason that a certificate couldn’t be issued for an IP address rather than a domain name, and in fact the technical and policy standards for certificates have always allowed this, with a handful of certificate authorities offering this service on a small scale."

noduerme10mo ago

right, this was announced about two weeks ago to some fanfare. So in principle there was no reason not to do it two decades ago? It would've been nice back then. I never heard of any certificate authority offering that.

fs11110mo ago

> I never heard of any certificate authority offering that.

DigiCert does. That is where 1.1.1.1 and 9.9.9.9 get their valid certificates from

crabique10mo ago

Most CAs offer them, the only requirement is that it's at least an OV (not DV) level cert, and the subject organization proves it owns the IP address.

bombcar10mo ago

It the beginning of HTTPS you were supposed to look for the padlock to prove if was a safe site. Scammers wouldn’t take the time and money to get a cert, after all!

So certs were often tied with identity which an IP really isn’t so few providers offered them.

kbolino10mo ago

An IP is about as much of an identity as a domain is.

There are two main reasons IP certificates were not widely used in the past:

- Before the SAN extension, there was just the CN, and there's only one CN per certificate. It would generally be a waste to set your only CN to a single IP address (or spend more money on more certs and the infrastructure to maintain them). A domain can resolve to multiple IPs, which can also be changed over time; users usually want to go to e.g. microsoft.com, not whatever IP that currently resolves to. We've had SANs for awhile now, so this limitation is gone.

- Domain validation (serve this random DNS record) involves ordinary forward-lookup records under your domain. Trying to validate IP addresses over DNS would involve adding records to the reverse-lookup in-addr.arpa domain which varies in difficulty from annoying (you work for a large org that owns its own /8, /16, or /24) to impossible (you lease out a small number of unrelated IPs from a bottom-dollar ISP). IP addresses are much more doable now thanks to HTTP validation (serve this random page on port 80), but that was an unnecessary/unsupported modality before.

maxloh10mo ago

Nope. That is not correct. https://1.1.1.1/dns-query is a perfectly valid DoH resolver address I've been using for months.

Your operating system can validate the IP address of the DNS response by using the Subject Alternative Name (SAN) field within the CA certificate presented by the DoH server: https://g.co/gemini/share/40af4514cb6e

yread10mo ago

what about certificate for IP address?

landgenootOP10mo ago

What about a route that gets hijacked? There is no HSTS for IP addresses.

sathackr10mo ago

Presumably the route hijacker wouldn't have a valid private key for the certificate so they wouldn't pass validation

federiconafria10mo ago

What about a reverse DNS lookup?

j / k navigate · click thread line to collapse